From 54e5d651e4624a9f86088de8be0291a2367abf67 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Andre Date: Tue, 4 Jun 2013 19:58:22 +0900 Subject: [PATCH] evas/cserve2: fix jpeg loader crash (invalid free) Signed-off-by: Cedric Bail --- src/bin/evas/loaders/jpeg/evas_image_load_jpeg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/bin/evas/loaders/jpeg/evas_image_load_jpeg.c b/src/bin/evas/loaders/jpeg/evas_image_load_jpeg.c index 69988638c0..4e2de576de 100644 --- a/src/bin/evas/loaders/jpeg/evas_image_load_jpeg.c +++ b/src/bin/evas/loaders/jpeg/evas_image_load_jpeg.c @@ -479,7 +479,7 @@ evas_image_load_file_data_jpeg_internal(Evas_Img_Load_Params *ilp, struct jpeg_decompress_struct cinfo; struct _JPEG_error_mgr jerr; DATA8 *ptr, *line[16], *data; - DATA32 *ptr2, *ptr_rotate = NULL; + DATA32 *ptr2, *ptr_rotate = NULL, *ptr2_orig = NULL; unsigned int x, y, l, i, scans; int region = 0; /* rotation setting */ @@ -652,9 +652,10 @@ evas_image_load_file_data_jpeg_internal(Evas_Img_Load_Params *ilp, { ptr2 = malloc(ilp->w * ilp->h * sizeof(DATA32)); ptr_rotate = ptr2; + ptr2_orig = ptr2; } else - ptr2 = ilp->buffer;; + ptr2 = ilp->buffer; if (!ptr2) { @@ -1018,7 +1019,7 @@ done: { jpeg_destroy_decompress(&cinfo); _evas_jpeg_membuf_src_term(&cinfo); - if (ptr2) free(ptr2); + if (ptr2_orig) free(ptr2_orig); *error = CSERVE2_NONE; return EINA_FALSE; } @@ -1026,7 +1027,7 @@ done: jpeg_finish_decompress(&cinfo); jpeg_destroy_decompress(&cinfo); _evas_jpeg_membuf_src_term(&cinfo); - if (ptr2) free(ptr2); + if (ptr2_orig) free(ptr2_orig); *error = CSERVE2_NONE; return EINA_TRUE; }